Created attachment 1152899 [details] Heap Overflow test file Hi, I have informed this bug to upstream, reporting it here just for bug tracking, thanks. Heap Overflow in lastest libdwarf git code. In file dwarf_elf_access.c:1071 WRITE_UNALIGNED(dbg,target_section + offset, &outval,sizeof(outval),reloc_size); A crafted ELF file may lead to a large offset value, which bigger than the size of target_section heap chunk, then this WRITE_UNALIGNED() function will write the value of &outval out of the heap chunk. offset is a 64bit unsgined int value, so this is more than a heap overflow bug, but also a Out-of-Bound write bug. So WRITE_UNALIGNED() need more strictly checking to prevent this. A example as follow: *** Error in `/mnt/hgfs/lieanu/tools/AFL_fuzzer/workspace/new_dwarf_bugs/dwarfdump': free(): invalid next size (fast): 0x000000000065b540 *** gef> bt #0 0x00002aaaab16ecc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00002aaaab1720d8 in __GI_abort () at abort.c:89 #2 0x00002aaaab1ab394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x2aaaab2b9b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00002aaaab1b766e in malloc_printerr (ptr=<optimized out>, str=0x2aaaab2b9cc8 "free(): invalid next size (fast)", action=1) at malloc.c:4996 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x000000000040dfb1 in esb_destructor (data=data@entry=0x7fffffffd4a0) at esb.c:252 #6 0x00000000004144ed in print_attribute (dbg=dbg@entry=0x654ea0, die=die@entry=0x65ab40, dieprint_cu_goffset=dieprint_cu_goffset@entry=11, attr=<optimized out>, attr_in=<optimized out>, print_information=print_information@entry=1, die_indent_level=<optimized out>, die_indent_level@entry=0, srcfiles=srcfiles@entry=0x65b450, cnt=cnt@entry=1) at print_die.c:3109 #7 0x0000000000416f38 in print_one_die (dbg=dbg@entry=0x654ea0, die=die@entry=0x65ab40, dieprint_cu_goffset=dieprint_cu_goffset@entry=11, print_information=1, die_indent_level=0, srcfiles=srcfiles@entry=0x65b450, cnt=cnt@entry=1, ignore_die_stack=ignore_die_stack@entry=0) at print_die.c:1447 #8 0x0000000000417610 in print_die_and_children_internal (dbg=dbg@entry=0x654ea0, in_die_in=0x65ab40, dieprint_cu_goffset=11, is_info=is_info@entry=1, srcfiles=0x65b450, cnt=1) at print_die.c:1036 #9 0x0000000000418689 in print_die_and_children (cnt=<optimized out>, srcfiles=<optimized out>, is_info=1, dieprint_cu_goffset=<optimized out>, in_die_in=<optimized out>, dbg=0x654ea0) at print_die.c:910 #10 print_one_die_section (dbg=0x654ea0, is_info=is_info@entry=1, pod_err=pod_err@entry=0x7fffffffdb38) at print_die.c:820 #11 0x0000000000418d41 in print_infos (dbg=<optimized out>, is_info=is_info@entry=1) at print_die.c:371 #12 0x0000000000406fca in process_one_file (l_config_file_data=0x63bda0 <g_config_file_data>, archive=0, tied_file_name=0x0, file_name=0x654030 "collect_dir/crash1", elftied=0x0, elf=<optimized out>) at dwarfdump.c:1352 #13 main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:645 gef> p *(mchunkptr)main_arena.top $24 = struct malloc_chunk { prev_size = 0x0 size = 0x500000009ab1 fd = 0x0 bk = 0x0 fd_nextsize = 0x0 bk_nextsize = 0x0 gef> p/x main_arena.system_mem $27 = 0x21000 The size (0x500000009ab1) of main_arena.top is corrupted, which is larger than the system_mem:0x21000 of main_arena, so a free(): invalid next size (fast) will occur
libdwarf-20160507-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f36c5935e5
libdwarf-20160507-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.